Australian policing agencies sent Microsoft 1746 data requests last year

Microsoft received 1746 customer data requests from Australian law enforcement agencies in 2020, representing a slight fall in volume compared to the previous two years.

The company’s latest twice-yearly law enforcement request report reveals 900 data requests were received in the second half of last year, with 1078 accounts or users specified in the requests.

For the first six months to July 2020, there were 856 customer data requests pertaining to 1104 accounts or users, bringing the total number of law enforcement requests for the year to 1746.

The figure – which is less than 2019 (1785 requests) and 2018 (1767 requests), but not 2017 (1637 requests) – represents only a fraction of the 48,891 customer data requests received by Microsoft globally last year.

The report shows the vast majority of Australia law enforcement requests (77.8 percent between January and June and 75 percent between July and December) resulted in the release of only subscriber/transactional data or “non-content data”.

Non-content data could include an individual’s email address, name, state, postcode and IP address at the time of registration, as well as IP connection history and billing information where applicable.

The remaining requests resulted in the disclosure of no customer data (12.2 percent and 13.2 percent respectively for each half-year period) or were rejected for not meeting legal requirements (12.2 percent and 11.8 percent).

The report indicates that a subpoena or local equivalent is required to request non-content data, while a warrant, court order or its local equivalent is required for content data.

Microsoft said customer data requests were rejected if “facially invalid, improperly served on us, or [they] requested data of a type not supported by the order or of the incorrect technology company”.

‘We may reject a request if it is not signed or not appropriately authorised, contains wrong dates, is not properly addressed, contains material mistakes, or is overly broad,” the report states.

“We may also reject requests when no legal reason exists why the government cannot seek the data from enterprise customers themselves, rather than from Microsoft.”

While the report seeks to increase transparency around the number of law enforcement requests received, the true extent of requests in Australia is obscured by the Assistance and Access Act.

The law prohibits companies from disclosing details about the use of those specific powers, meaning there is limited reporting, bar the yearly Telecommunications (Inception and Access) Act annual report.

The latest report shows that those powers were used 11 times by law enforcement agencies in their first full-year of operation, the majority of which were issued by NSW Police.